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DETAILED ACTION 

1. This action is responsive to communication: filed on 21 September 2006, with 
acknowledgement of an original application filed on 15 January 2004. The IDS submitted 
21 September 2006 has been considered. 

2. Claims 1-20 are currently pending in this application. Claim 21 has been cancelled. 
Amendments to the claims have been accepted. Claims 1, 12, 19, and 20, are independent 
claims. 

3. The objection to the drawings is removed due to amendment. 

Response to Arguments 

4. Applicant's arguments with respect to 1-20 have been considered but they are not 
persuasive. 

In response to Applicant's argument on page 8, "Ahonen fails to teach or suggest 
"establishing a correspondence between the IP address and a first shared secret authorized for the 
user"". The Examiner disagrees the shared secret is the Security Association (SA), see col. 1, 
lines 45-67. 

In response to Applicant's argument on page 8, "Ahonen fails to teach or suggest 
"receiving a second request from the user to form a virtual private network, the request 
incorporating a second shared secret"". The Examiner disagrees, the second shared secret is the 
second SA established. 

In response to Applicant's argument on page 8, "Ahonen fails to teach or suggest 
"determining whether the fu-st shared secret matches the second shared secret"". The Examiner 
disagrees this is clearly taught in Ahonen see col. 9, Une 20 through col. 10, line 7 which 
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indicates that the SAs are compared and if a match is found an acknowledgement message is sent 
back to the mobile host, note the shared secrets are the S A. 

In response to Applicant's argument on page 8, "Specifically, Ahonen fails to teach or 
suggest the use of a shared secret at all, let alone the specific uses of the shared secret described 
in claim 1. Ahonen utilizes digital certificates". The Examiner disagrees with argument, and 
notes again the shared secrets are the SAs, which due incorporate certificates. The Examiner 
also notes despite Applicant's claim for an improvement not to utilize certificates, cancelled 
independent claim 21 utilized digital certificates, see original presentation of the claims. 

Claim Rejections -35 use §103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

6. Claims 1, 4, 6, 8-12, 15, 17, and 19-20, are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Ahonen US Patent No. 6,976, 177 (hereinafter '177). 

As to independent claim 1, ^^A method of establishing a virtual private network 
tunnel, the method comprising: receiving, from a user whose IF address is not known in 
advance, a first request to form an encrypted tunnel with a security gateway" is taught in 
'177 col. 9, lines 6-35; 

^^forming the encrypted tunnel" is shown in '177 col. 9, lines 36-51; 
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^^determining an IP address of the user; establishing a correspondence between the 
IP address and a first shared secret authorized for the user" is taught in ' 177 col. 10, 
lines 8-15; 

^^determining whether the first shared secret matches the second shared secret; and 
forming the virtual private network tunnel when the first shared secret matches the second 
shared secret" is shown in ' 177 col. 9 line 52 through col, 10, line 7 and col. 1, hnes 43-47. 
the following is not explicitly taught in ' 177: 

^^authenticating the user" however ' 177 teaches "means for negotiating one or more 
Security Associations (S As) between the mobile host and the Security Gateway (SG); (2) means 
for subsequently initiating a communication between the mobile host and the SG using a 
negotiated S A and for receiving an authentication certificate sent from the mobile host, the 
certificate containing at least the identity of the mobile host and an IP address of the mobile 
host" and "the cryptographic identity of the mobile host 1; the (New) Source and Destination IP 
addresses (if changed); the ISAKMP Cooldes of the mobile host 1 and the correspondent host 4, 
(under which the phase 2 negotiation was done); the IPsec protocol ID (AH, ESP); the SPI 
number of the phase 2 SA (usually the next available SA which was created during the 
preparations functions and which has not expired); current sequence number of the requested 
phase 2 SA (if this S A has been used earlier, then this number has increased in the counter of 
mobile host 1)" in col. 2, hnes 62-67 and col. 9, Unes 34-46, note the Security Association (SA) 
is known in the art to have the same meaning as authenticating the user. 

^Veceiving a second request from the user to form a virtual private network tunnel, 
the request incorporating a second shared secret" however '177 teaches in col. 9, lines 43-46, 
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note this update of a sequence depending upon the number of request has the same meaning as 
receiving a second request. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the method of establishing a Virtual Private Network (VPN) taught in ' 177 to include 
a means to allow a mobile client to request a second VPN. One of ordinary skill in the art would 
have been motivated to perform such a modification because of the increasing demand for 
mobility see ' 177 (col. 1, lines 1 1 et seq.) "There is an ever increasing demand for mobility in 
communications systems. However, this demand must be met in a manner which provides for 
the secure transfer of data between communicating parties. A concept known as the Virtual 
Private Network (VPN) has recently been introduced, with the aim of satisfying, by a 
combination of encryption and secure access, this demand, A VPN may involve one or more 
corporate Local Area Networks (LANs) or intranets, as well as users coupled to "foreign" LANs, 
the Internet, wireless mobile networks, etc". 

As to dependent claim 4, ^^wherein the second request comprises a request to form 
an IPSec tunnel" is taught in ' 177 col. 2, lines 5-10. 

As to dependent claim 6, ^Vherein the second request incorporates a hashing 
function based on the second shared secret" is shown in '177 col. 2, lines 46-56. 

As to dependent claim 8, ^Vherein the establishing step comprises making an entry 
in an IPSec table, the entry comprising the IP address and the first shared secret" is shown 
in *177 col. 8, Unes 35-65 and col. 9, lines 51-57, 

As to dependent claim 9, "wherein the entry is a temporary entry that is deleted 
after the occurrence of a predetermined event" is disclosed in '177 col 2, lines 38-43. 
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As to dependent claim 10, ^Vherein the predetermined event comprises a passage of 
a predetermined time" is taught in * 177 col. 2, lines 43-46. 

As to dependent claim 11, ^Yurther comprising the step of tearing down the virtual 
private network tunnel when the temporary entry is deleted" is shown in '177 col. 10, line 
66 through col. 1 1, line 6, and col 12, lines 44-5 1. 

As to independent claim 12, this claim is directed to the computer program comprising 
the instruction for a Security Gateway to implement the method of claim 1; therefore it is 
rejected along similar rationale. 

As to independent claim 19, this claim is directed to a security gateway to implement 
the method of claim 1 ; therefore it is rejected along similar rationale. 

As to independent claim 20, this claim is directed to a security gateway that 
incorporates the limitations of claim 1 plus the following Umitations in bold that are also taught 
in* 177: 

^^a first port configured for communication with the Internet' ' is shown in '177 col. 3, 
lines 57-60; 

^'sk second port configured for communication with a private network" is disclosed in 
^77 col. 3, Unes 57-67 

^^at least one processor configured to: receive, via the first port" is taught in ' 177 col. 
3, lines 57-67. 

7. Claims 2, 3, 5, 13, 14, and 16, are rejected under 35 U.S.C. 103(a) as being unpatentable 
over '177 in view of Subramaniam et al. US Patent No. 6,640,302 (hereinafter '302). 
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As to dependent claim 2, the following is not taught in '177 ^^wherein the first request 
comprises a request to form a Hypertext Transfer Protocol over Secure Socket Layer 

session" however '302 teaches "The border server is connectable to the target server by a first 
communications link, such as an intranet or Ethernet link. The client is connectable to the border 
server by a second communications link, such as a TCP/IP link. The client and the border server 
are configured to support secure sockets layer communication over the second communications 
link using SSL or. similar software" in col 3 Unes 17-32. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the method of establishing a Virtual Private Network (VPN) taught in ' 177 to include 
a means to utilize SSL connections. One of ordinary skill in the art would have been motivated 
to perform such a modification because growth of secure networks see '302 (col. 1, lines 3 1 et 
seq.) "With the growth of such secure networks and their information content, there is an urgent 
need to support secure access by authorized users even when those users log in fi*om a client 
machine outside the network security perimeter. A wide variety of tools and techniques relating 
to networks and/or security are known, at least individually and to at least some extent, 
including: computer network architectures including at least transport and session layers, 
sockets, cUents, and servers; hyperlinks and uniform/universal resource locators (TVRLs); 
communications links such as Internet connections and LAN connections; proxy servers for 
HTTP and some other protocols; internetworking; Kerberos authentication; authentication 
through certificates exchanged during an SSL handshake; tying certificates to access control lists 
so that users are identified in certificates presented during the SSL handshake instead of being 
identified by an IP address, DNS name, or usemame and password". 
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As to dependent claim 3, ^Vherein the authenticating step comprises receiving and 
verifying a username/password pair from the user*' is taught in *302 col. 8, lines 45-62 

As to dependent claim 5, ^^wherein the establishing step comprises comparing a 
username and password provided by the user with a database of usernames, passwords 
and shared secrets" is shown in '302 col. 9, lines 2-15 and '177 col. 9, lines 52-67. 

As to dependent claims 13, 14, and 16, these claim contain substantially similar subject 
matter as claims 2, 3, and 5; therefore they are rejected along similar rationale. 
8. Claims 7 and 18, are rejected under 35 U.S.C. 103(a) as being unpatentable over '177 in 
view of Jari et al. US Patent No. 6,907,532 (hereinafter '532). 

As to dependent claim 7, the following is not explicitly taught in ' 177 "wherein the 
step of determining whether the first shared secret matches the second shared secret 
comprises attempting to decrypt at least a portion of the second request' however '532 
teaches "The controller may be arranged to encrypt the security association database for storing 
in the non-volatile memory and to decrypt the security association database upon retrieval from 
the non-volatile memory" in col. 2, lines 33-36. . 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the method of establishing a Virtual Private Network (VPN) taught in ' 177 to include 
a means to decrypting communications. One of ordinary skill in the art would have been 
motivated to perform such a modification to prevent unauthorized access see '532 (col. 1, lines 
60 et seq.). "Security associations generally have a limited lifetime so as to prevent unauthorised 
access by deciphering each security association. When a security association reaches the end of 
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its defined lifetime, it is replaced by another previously negotiated security association between 
the mobile user and the security gateway". 

As to dependent claim 18, this claim contams substantially similar subject matter as 
claim 7; therefore it is rejected along similar rationale. 

Conclusion 

THIS ACTION IS MADE FINAL, AppUcant is reminded of the extension of time poUcy as 
set forth in 37 CFR 1 .136(a). A shortened statutory period for reply to this final action is set to 
expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened 
statutory period will expire on the date the advisory action is mailed, and any extension fee 
pursuant to 37 CFR 1 .136(a) will be calculated fi'om the mailing date of the advisory action. In 
no event, however, will the statutory period for reply expire later than SIX MONTHS fi'om the 
mailing date of this fmal action. 

9. Any inquiry concerning this communication or earlier communications fi'om the 
examiner should be directed to Ellen C Tran whose telephone number is 
(571) 272-3842. The examiner can normally be reached from 10:00 am to 6:30 pm. 

If attempts to reach the examiner by telephone are unsuccessfiil, the examiner's 
supervisor, Jacques H. Louis- Jacques can be reached on (571) 272-6962. The fax phone number 
for the organization where this appUcation or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an appUcation may be obtained fi'om the Patent 
Application Information Retrieval (PAIR) system. Status information for published appUcations 
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may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 

appUcations is available through Private PAIR only. For more information about the PAIR 

system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 

system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Ellen. Tran 
Patent Examiner 
Technology Center 2134 
11 November 2006 
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